The present invention relates generally to data communication systems and more particularly relates to a dynamic packet filter utilizing session tracking to make decisions on whether to allow or deny a packet.
In recent years, the world has witnessed the explosive growth of the Internet. Each year many more hosts are added while the number of users seems to be growing without limit. The Internet enables communications using different techniques including remote computer login, file transfer, world wide web (WWW) browsing, email, etc. Various protocols have been designed and are in use on the Internet to handle various types of communications. For example, file transfer protocol (FTP) for file transfer, hypertext markup language (HTML) for web traffic, etc. Generally, the protocol related to Internet communications are grouped under the umbrella of the transmission control protocol/internet protocol (TCP/IP) suite of protocols that includes protocols at various layers of the OSI communications stack.
A key feature of the Internet is that it is a public network that is accessible by nearly anyone with a computer, telephone line and Internet service provider (ISP) account. A downside to this wide scale public accessibility is that it permits easy access for hackers and others intent on carrying out malicious activities against one or more hosts on the Internet. Illegal conduct such as stealing of secret information or the deletion of important files by a malicious user is possible by a hacker that manages to break into a computer on a remote network and succeed to tap communication data. The need for security was addressed by the Internet Architecture Board (IAB) by including security features in IPv6 such as encryption and authentication in that permit secure transactions over the Internet.
To combat the threat of hackers and to secure private networks, it is common today to place a firewall at the entrance of the private network in a company or organization. The firewall employs some form of packet filter that functions to enforce a user defined security policy. The firewall is a system that sits at the boundary between the local network of the organization and the global Internet. It implements the filtering of all data communications in order to prevent leakage of information out to the external network and to prevent unauthorized access of the internal network from the outside. A deny/allow decision is made for each packet that is received by the firewall.
At the same time, the world is witnessing increasing demand for wireless services (i.e. cellular phones, two way pagers, cordless devices, etc.) and personal computing devices such as laptops, PDAs, etc. Many of these personal computing devices incorporate wireless communications circuitry to enable them to communicate via wireless networks (e.g., cellular or other broadband schemes) to WAN networks such as the Internet. Thus, more and more PDAs and cellular telephones are being connecting to the Internet thus exposing these devices to security risks. Preferably, these devices employ some type of firewall to protect against unauthorized access to the device. Most firewalls today, however, are implemented in software and require the computing resources of an entire desktop computer, making their use in a portable computing device such as cellular telephone or PDA impractical.
Thus, there is a need for a firewall or packet filter that can be easily implemented in small size suitable for incorporated in small portable computing devices such as cellular telephones and wireless connected PDAs.
The present invention provides a novel and useful dynamic packet filter that can be implemented in hardware, software or a combination of both. The present invention can be incorporated in a hardware-based firewall suitable for use in portable computing devices such as cellular telephones and wireless connected PDAs that are adapted to connect to the Internet.
The invention performs dynamic packet filtering on packets receive over an input packet stream. Preferably, the invention is positioned between a WAN (i.e. the Internet) and a local LAN. In this case, the dynamic packet filter is operative to filter both inbound packets from WAN to LAN and outbound packets from LAN to WAN. Note that dynamic filtering is effective to check dynamic protocol behavior rather than the static rules of a protocol. The invention achieves this by creating sessions to track the state of communications between the source and destination.
New sessions are detected, created and data related thereto is stored in a session database. An attempt is made to recognize each received packet and associate it with a previously opened session. Recognition of a session is accelerated by use of a hash table to quickly determine the corresponding session record in the session database. The hash can be calculated using either complete or partial socket information. Complete socket information comprises the 104-bit source and destination IP address, source and destination port number and protocol. Partial socket information, termed a hole, is missing one or more items of information. A hole database is used to store the holes that are currently opened. Once a hole session is recognized, the hole is filled with the missing parameters.
If the received packet cannot be associated with an open session, a new session is created. If an existing session is found, the session related data is read from the session database and the received packet is checked against a set of rules. The rules are described as state transition diagrams that specify the states and transitions permitted by the particular protocol.
If a packet conforms to the legal behavior for the protocol, it is allowed, otherwise, it is denied. The session data is then updated with new state information and related parameters and written back into the session database.
Although the invention is intended for implementation in hardware, it can also be implemented in software. In one embodiment, a computer comprising a processor, memory, etc. is operative to execute software adapted to perform the dynamic packet filtering method of the present invention.
There is thus provided in accordance with the present invention a method of filtering an input packet stream, the method comprising the steps of establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket, opening a new session upon receipt of a socket not previously stored in the session database, recognizing a session associated with a received packet in accordance with its associated socket, processing the session data corresponding to the received packet in accordance with a plurality of predefined rules to generate processing results and deciding whether to allow or deny the received packet in accordance with the processing results.
There is also provided in accordance with the present invention a method of monitoring the state of a communications session, the method comprising the steps of establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket, recognizing a session in accordance with a first hash calculation on the socket associated with a received packet, recognizing a hole session in accordance with a second hash calculation on a partial socket associated with the received packet, reading session data from the session database, the session data associated with either a recognized session or a recognized hole session, tracking a connection state of the session and checking the state against a plurality of rules to determine whether to allow or deny the received packet and writing updated session data back into the session database.
There is further provided in accordance with the present invention a dynamic filter for filtering an input packet stream comprising a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket, a session recognition module adapted to search the session database for a session whose associated socket matches that of a received packet, a session management module adapted to maintain the session database including adding, deleting and modifying sessions in the session database and a main filter module operative to track a connection state of the session corresponding to a receive packet and checking the connection state against a plurality of rules to determine whether to allow or deny the received packet.
There is also provided in accordance with the present invention a digital computing apparatus, comprising communication means adapted to connect the apparatus to a wide area network (WAN), memory means comprising volatile and non-volatile memory, the non-volatile memory adapted to store one or more application programs, a processor coupled to the memory means and the communication means for executing the one or more application programs and a dynamic filter for filtering an input packet stream comprising a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket, a session recognition module adapted to search the session database for a session whose associated socket matches that of a received packet, a session management module adapted to maintain the session database including adding, deleting and modifying sessions in the session database and a main filter module operative to track a connection state of the session corresponding to a receive packet and checking the connection state against a plurality of rules to determine whether to allow or deny the received packet.
There is still further provided in accordance with the present invention a computer readable storage medium having a computer program embodied thereon for causing a suitably programmed system to search for a plurality of strings by performing the following steps when such program is executed on the system: establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket, opening a new session upon receipt of a socket not previously stored in the session database, recognizing a session associated with a received packet in accordance with its associated socket, processing the session data corresponding to the received packet in accordance with a plurality of predefined rules to generate processing results and deciding whether to allow or deny the received packet in accordance with the processing results.